2015: The year the Internet crashes. Hard.

2014 saw the largest Internet network attacks of all time, fundamental network programs cracked like eggs, and user IDs and passwords leaked everywhere. It will only get worse.

An Internet joke that goes back at least to the early 1980s consists entirely of the phrase: "Imminent Death of the Net Predicted!" Every year, even more often than you'd hear "This will be the year of the Linux desktop!" someone would predict that the Internet was going to go to hell in a handbasket -- and nothing happened. This year it's my turn, but I fear I'm going to be proved right.

Here's why.

Take a good look at what happened to the Internet in 2014. In February we saw the biggest distributed denial-of-service (DDoS) attack of all time. It hit a high of 400 gigabits per second (Gbps). That's more traffic than the total Internet bandwidth of a small country.

In October. Akamai reported that in the previous quarter it alone had defended its customers, against 17 DDoS attacks flooding targets with traffic greater than 100 Gbps, with the largest topping out at 321 Gbps.

And, as every Xbox and Sony PlayStation gamer knows, Xbox Live and the PlayStation Network were knocked out for about 72 hours during the Christmas holiday weekend by DDoS attacks.

Who thinks we'll see a petabit-per-second DDoS attack in 2014? I do.

An attack of that magnitude may come from hackers, such as Lizard Squad, going after gaming companies for reasons that will undoubtedly remain obscure. But I think it's much more likely that it will come from a nation state.

Cyberwar is not just the stuff of science fiction. It's already happened.

Russia has been accused of taking out Estonia's Internet in 2007 and Georgia's network in 2008. Richard Stiennon, principal at security consulting firm IT-Harvest, expects that if Russia decides to seriously attack Ukraine, Ukraine's Internet would be Russia's first target.

Meanwhile, North Korea has accused the United States of attacking its Internet. And, of course, before that the FBI had said that North Korea was responsible for the Sony intrusion.

Someone is going to pull the trigger on a truly gigantic DDoS in 2015. The only question is who.

How these attacks be made isn't so mysterious. Attackers need only abuse long-existing problems in such basic Internet protocols as Network Time Protocol (NTP) and Domain Name System (DNS). We are running the Internet using decades-old technology, and we've been really, really lazy about upgrading it.

For example, DNS-based attacks could be mitigated by the use of Domain Name System Security Extensions (DNSSEC). DNSSEC has been around since 2010, but it's still being deployed by only a tiny number of companies.

In the meantime, we also saw in 2014 an absolutely core Internet security protocol, OpenSSL, ripped apart by the Heartbleed bug. Months later, long after fixes were available, 300,000-plus Web servers were still vulnerable to that bug.

I have no doubt that other security holes are hiding in old, fundamental Internet protocol programs, and we'll find out about them the hard way in 2015.

Finally, let's not forget good old human error. Logins and passwords are also being swiped by cyber-crooks from companies all the time As former FBI director Robert Mueller said this summer, "There are only two types of companies -- those that have been hacked, and those that will be."

Even the tech elite are vulnerable. Earlier in December, ICANN, which oversees DNS, was hacked. The attacker got access to user information, including email and postal addresses. ISC, makers of BIND, the world's most popular DNS software, also got hit, but we don't know what, if any, information was taken from the site.

Ever since I got into technology, security has been an afterthought. Security is what you do after you've been hacked and you've fired your CIO. 2015 is the year that attitude catches up with us.

I don't know how or when it will happen, but I do know what will happen. There will be a DDoS attack, probably exploiting some zero-day vulnerability of a fundamental Internet program. It will be big enough that it won't just knock some company or small country off the Internet; everyone in the world will feel its effects. And it may or may not make use of information stolen from a major IT company or Internet service body.

2015 will be the year our Internet security laziness will catch up with us. Frankly, I'll be happy if I'm dead wrong about this, but I don't think I am.

Join the CSO newsletter!

Error: Please check your email address.

Tags ddosinternetsony

More about FBIICANNLinuxSonyXbox

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steven J. Vaughan-Nichols

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place